jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1450186 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authentication/ main/java/org/apache/jackrabbit/oak/security/authentication/token/ main/java/org/apache/jackrabbit/oak/security/authentication/us...
Date Tue, 26 Feb 2013 14:30:45 GMT
Author: angela
Date: Tue Feb 26 14:30:45 2013
New Revision: 1450186

URL: http://svn.apache.org/r1450186
Log:
OAK-91 : Implement Authentication Support (wip)

- add support for pre-authenticated subjects and compliant handling of null-credentials login

Added:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java
      - copied, changed from r1450105, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
Removed:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/LoginContextProviderImpl.java
Tue Feb 26 14:30:45 2013
@@ -17,6 +17,7 @@
 package org.apache.jackrabbit.oak.security.authentication;
 
 import java.security.AccessController;
+import javax.annotation.CheckForNull;
 import javax.annotation.Nonnull;
 import javax.jcr.Credentials;
 import javax.security.auth.Subject;
@@ -30,6 +31,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authentication.JaasLoginContext;
 import org.apache.jackrabbit.oak.spi.security.authentication.LoginContext;
 import org.apache.jackrabbit.oak.spi.security.authentication.LoginContextProvider;
+import org.apache.jackrabbit.oak.spi.security.authentication.PreAuthContext;
 import org.apache.jackrabbit.oak.spi.state.NodeStore;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -64,11 +66,20 @@ public class LoginContextProviderImpl im
     public LoginContext getLoginContext(Credentials credentials, String workspaceName)
             throws LoginException {
         Subject subject = getSubject();
+        if (subject != null && credentials == null) {
+            log.debug("Found pre-authenticated subject: No further login actions required.");
+            return new PreAuthContext(subject);
+        }
+
+        if (subject == null) {
+            subject = new Subject();
+        }
         CallbackHandler handler = getCallbackHandler(credentials, workspaceName);
         return new JaasLoginContext(appName, subject, handler, configuration);
     }
 
     //------------------------------------------------------------< private >---
+    @CheckForNull
     private static Subject getSubject() {
         Subject subject = null;
         try {
@@ -76,12 +87,10 @@ public class LoginContextProviderImpl im
         } catch (SecurityException e) {
             log.debug("Can't check for pre-authentication. Reason:", e.getMessage());
         }
-        if (subject == null) {
-            subject = new Subject();
-        }
         return subject;
     }
 
+    @Nonnull
     private CallbackHandler getCallbackHandler(Credentials credentials, String workspaceName)
{
         return new CallbackHandlerImpl(credentials, workspaceName, nodeStore, commitHook,
indexProvider, securityProvider);
     }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.java
Tue Feb 26 14:30:45 2013
@@ -32,7 +32,7 @@ import javax.security.auth.login.LoginEx
 import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
 import org.apache.jackrabbit.oak.api.AuthInfo;
 import org.apache.jackrabbit.oak.api.Root;
-import org.apache.jackrabbit.oak.security.authentication.AuthInfoImpl;
+import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
 import org.apache.jackrabbit.oak.spi.security.authentication.callback.TokenProviderCallback;

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java?rev=1450186&r1=1450185&r2=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/user/LoginModuleImpl.java
Tue Feb 26 14:30:45 2013
@@ -32,7 +32,7 @@ import javax.security.auth.callback.Unsu
 import javax.security.auth.login.LoginException;
 
 import org.apache.jackrabbit.oak.api.AuthInfo;
-import org.apache.jackrabbit.oak.security.authentication.AuthInfoImpl;
+import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
 import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
 import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
 import org.apache.jackrabbit.oak.spi.security.authentication.Authentication;

Copied: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java
(from r1450105, jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java)
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java?p2=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java&p1=jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java&r1=1450105&r2=1450186&rev=1450186&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authentication/AuthInfoImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/AuthInfoImpl.java
Tue Feb 26 14:30:45 2013
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.apache.jackrabbit.oak.security.authentication;
+package org.apache.jackrabbit.oak.spi.security.authentication;
 
 import java.security.Principal;
 import java.util.Collections;
@@ -27,7 +27,7 @@ import org.apache.jackrabbit.oak.api.Aut
 /**
  * Default implementation of the AuthInfo interface.
  */
-public class AuthInfoImpl implements AuthInfo {
+public final class AuthInfoImpl implements AuthInfo {
 
     private final String userID;
     private final Map<String,?> attributes;

Added: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java?rev=1450186&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthContext.java
Tue Feb 26 14:30:45 2013
@@ -0,0 +1,55 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+import javax.security.auth.Subject;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * LoginContext for pre-authenticated subjects that don't require further
+ * validation nor additional login/logout steps.
+ */
+public final class PreAuthContext implements LoginContext {
+
+    /**
+     * logger instance
+     */
+    private static final Logger log = LoggerFactory.getLogger(PreAuthContext.class);
+
+    private final Subject subject;
+
+    public PreAuthContext(Subject subject) {
+        this.subject = subject;
+    }
+
+    @Override
+    public Subject getSubject() {
+        return subject;
+    }
+
+    @Override
+    public void login() {
+        // nothing to do
+    }
+
+    @Override
+    public void logout() {
+        // nothing to do
+    }
+}
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java?rev=1450186&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
(added)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/spi/security/authentication/PreAuthTest.java
Tue Feb 26 14:30:45 2013
@@ -0,0 +1,189 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.oak.spi.security.authentication;
+
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.util.Collections;
+import java.util.Set;
+import javax.jcr.GuestCredentials;
+import javax.jcr.SimpleCredentials;
+import javax.security.auth.Subject;
+import javax.security.auth.login.AppConfigurationEntry;
+import javax.security.auth.login.Configuration;
+import javax.security.auth.login.LoginException;
+
+import org.apache.jackrabbit.oak.AbstractSecurityTest;
+import org.apache.jackrabbit.oak.api.AuthInfo;
+import org.apache.jackrabbit.oak.api.ContentSession;
+import org.junit.Test;
+
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertSame;
+import static org.junit.Assert.fail;
+
+public class PreAuthTest extends AbstractSecurityTest {
+
+    @Override
+    protected Configuration getConfiguration() {
+        return new Configuration() {
+
+            @Override
+            public AppConfigurationEntry[] getAppConfigurationEntry(String s) {
+                return new AppConfigurationEntry[0];
+            }
+        };
+    }
+
+    @Test
+    public void testValidSubject() throws Exception {
+        final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()),
Collections.<Object>emptySet(), Collections.<Object>emptySet());
+        ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>()
{
+            @Override
+            public ContentSession run() {
+                try {
+                    return login(null);
+                } catch (Exception e) {
+                    return null;
+                }
+            }
+        }, null);
+
+        try {
+            assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+        } finally {
+            if (cs != null) {
+                cs.close();
+            }
+        }
+    }
+
+    @Test
+    public void testValidSubjectWithCredentials() throws Exception {
+        Set<SimpleCredentials> publicCreds = Collections.singleton(new SimpleCredentials("testUserId",
new char[0]));
+        final Subject subject = new Subject(false, Collections.singleton(new TestPrincipal()),
publicCreds, Collections.<Object>emptySet());
+        ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>()
{
+            @Override
+            public ContentSession run() {
+                try {
+                    return login(null);
+                } catch (Exception e) {
+                    return null;
+                }
+            }
+        }, null);
+
+        try {
+            assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+        } finally {
+            if (cs != null) {
+                cs.close();
+            }
+        }
+    }
+
+    @Test
+    public void testValidReadSubjectWithCredentials() throws Exception {
+        Set<SimpleCredentials> publicCreds = Collections.singleton(new SimpleCredentials("testUserId",
new char[0]));
+        final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()),
publicCreds, Collections.<Object>emptySet());
+        ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>()
{
+            @Override
+            public ContentSession run() {
+                try {
+                    return login(null);
+                } catch (Exception e) {
+                    return null;
+                }
+            }
+        }, null);
+
+        try {
+            assertSame(AuthInfo.EMPTY, cs.getAuthInfo());
+        } finally {
+            if (cs != null) {
+                cs.close();
+            }
+        }
+    }
+
+    @Test
+    public void testValidSubjectWithAuthInfo() throws Exception {
+        AuthInfo info = new AuthInfoImpl("testUserId", Collections.<String, Object>emptyMap(),
Collections.<Principal>emptySet());
+        Set<AuthInfo> publicCreds = Collections.singleton(info);
+        final Subject subject = new Subject(false, Collections.singleton(new TestPrincipal()),
publicCreds, Collections.<Object>emptySet());
+        ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>()
{
+            @Override
+            public ContentSession run() {
+                try {
+                    return login(null);
+                } catch (Exception e) {
+                    return null;
+                }
+            }
+        }, null);
+
+        try {
+            assertSame(info, cs.getAuthInfo());
+        } finally {
+            if (cs != null) {
+                cs.close();
+            }
+        }
+    }
+
+    @Test
+    public void testSubjectAndCredentials() throws Exception {
+        final Subject subject = new Subject(true, Collections.singleton(new TestPrincipal()),
Collections.<Object>emptySet(), Collections.<Object>emptySet());
+        ContentSession cs = Subject.doAsPrivileged(subject, new PrivilegedAction<ContentSession>()
{
+            @Override
+            public ContentSession run() {
+                ContentSession cs;
+                try {
+                    cs = login(new GuestCredentials());
+                    return cs;
+                } catch (Exception e) {
+                    return null;
+                }
+            }
+        }, null);
+
+        assertNull("Login should have failed.", cs);
+    }
+
+    @Test
+    public void testNullLogin() throws Exception {
+        ContentSession cs = null;
+        try {
+            cs = login(null);
+            fail("Null login without pre-auth subject should fail");
+        } catch (LoginException e) {
+            // success
+        } finally {
+            if (cs != null) {
+                cs.close();
+            }
+        }
+    }
+
+    private class TestPrincipal implements Principal {
+
+        @Override
+        public String getName() {
+            return "test";
+        }
+    }
+}
\ No newline at end of file



Mime
View raw message